FireBrick to FireBrick IPsec (Howto): Difference between revisions
Content deleted Content added
Prettyful colours |
|||
| Line 27: | Line 27: | ||
==FireBrick London Config== |
==FireBrick London Config== |
||
<syntaxhighlight lang=xml> |
|||
<ipsec-ike comment="toReading"> |
<ipsec-ike comment="toReading"> |
||
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/> |
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/> |
||
</ipsec-ike> |
</ipsec-ike> |
||
</syntaxhighlight> |
|||
If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, eg: |
If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, eg: |
||
<syntaxhighlight lang=xml> |
|||
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/> |
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/> |
||
</syntaxhighlight> |
|||
You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from Reading and will not NAT the traffic: |
You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from Reading and will not NAT the traffic: |
||
<syntaxhighlight lang=xml> |
|||
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic "> |
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic "> |
||
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" /> |
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" /> |
||
</rule-set> |
</rule-set> |
||
</syntaxhighlight> |
|||
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment. |
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment. |
||
| Line 45: | Line 51: | ||
==FireBrick Reading Config== |
==FireBrick Reading Config== |
||
<syntaxhighlight lang=xml> |
|||
<ipsec-ike comment="toLondon"> |
<ipsec-ike comment="toLondon"> |
||
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/> |
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/> |
||
</ipsec-ike> |
</ipsec-ike> |
||
</syntaxhighlight> |
|||
If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, eg: |
If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, eg: |
||
<syntaxhighlight lang=xml> |
|||
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/> |
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/> |
||
</syntaxhighlight> |
|||
You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from London and will not NAT the traffic: |
You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from London and will not NAT the traffic: |
||
<syntaxhighlight lang=xml> |
|||
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic "> |
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic "> |
||
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" /> |
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" /> |
||
</rule-set> |
</rule-set> |
||
</syntaxhighlight> |
|||
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment. |
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment. |
||